discordrat | eb2cd837b0019b8b749f26848f79987728ba6eeaefac717ae295aec3d77f6d41

Resubmissions

03/03/2024, 01:44

240303-b5tg3sbb9y 10

03/03/2024, 01:39

240303-b26cgabf48 10

Analysis

max time kernel
150s
max time network
150s
platform
windows11-21h2_x64
resource
win11-20240221-en
resource tags

arch:x64arch:x86image:win11-20240221-enlocale:en-usos:windows11-21h2-x64system
submitted
03/03/2024, 01:44

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Client-built.exe
Size

78KB
MD5

29abd40a4fd8ef178c87129181a4fd73
SHA1

bab65aa718e97d07bd0e0732d167333502460f13
SHA256

eb2cd837b0019b8b749f26848f79987728ba6eeaefac717ae295aec3d77f6d41
SHA512

a9df4364f8b4953336b221266f4035e395fbddea8a22b49c96b3d0603c8e6530fff4decdd843a98d0cb3e7ed77bfe2bbcf8e0952f11b6838eb941cff5236fe02
SSDEEP

1536:52WjO8XeEXFh5P7v88wbjNrfxCXhRoKV6+V+OPIC:5Zv5PDwbjNrmAE+qIC

Score

10^/10

discordrat discovery persistence rat rootkit spyware stealer

Malware Config

Extracted

Family

discordrat

Attributes

discord_token
MTIxMzY1NjQ2NDQyMjYwMDc1NA.GmONnQ.zvgoeyWByXkk--Y3X0yBfX91brnJEV1TfpkkEI
server_id
1213656241784758272

Signatures

Discord RAT
A RAT written in C# using Discord as a C2.
stealer rootkit rat persistence discordrat
Downloads MZ/PE file

Executes dropped EXE 6 IoCs

pid	Process
1160	GenshinImpact_install_ua_6c73f16b76b3.exe
2148	7z.exe
4452	7z.exe
3576	launcher.exe
5272	QtWebEngineProcess.exe
5840	crashreport.exe

Loads dropped DLL 49 IoCs

pid	Process
2148	7z.exe
4452	7z.exe
3576	launcher.exe
3576	launcher.exe
3576	launcher.exe
3576	launcher.exe
3576	launcher.exe
3576	launcher.exe
3576	launcher.exe
3576	launcher.exe
3576	launcher.exe
3576	launcher.exe
3576	launcher.exe
3576	launcher.exe
3576	launcher.exe
3576	launcher.exe
3576	launcher.exe
3576	launcher.exe
3576	launcher.exe
3576	launcher.exe
3576	launcher.exe
3576	launcher.exe
3576	launcher.exe
3576	launcher.exe
3576	launcher.exe
3576	launcher.exe
3576	launcher.exe
3576	launcher.exe
3576	launcher.exe
3576	launcher.exe
3576	launcher.exe
3576	launcher.exe
3576	launcher.exe
3576	launcher.exe
3576	launcher.exe
3576	launcher.exe
5272	QtWebEngineProcess.exe
5272	QtWebEngineProcess.exe
5272	QtWebEngineProcess.exe
5272	QtWebEngineProcess.exe
5272	QtWebEngineProcess.exe
5272	QtWebEngineProcess.exe
5272	QtWebEngineProcess.exe
5272	QtWebEngineProcess.exe
5272	QtWebEngineProcess.exe
5272	QtWebEngineProcess.exe
5272	QtWebEngineProcess.exe
3576	launcher.exe
3576	launcher.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Legitimate hosting services abused for malware hosting/C2 1 TTPs 19 IoCs

Web Service

T1102

flow	ioc
17	discord.com
28	discord.com
53	discord.com
91	discord.com
92	discord.com
153	discord.com
94	discord.com
194	discord.com
1	raw.githubusercontent.com
2	discord.com
6	discord.com
15	raw.githubusercontent.com
16	discord.com
87	raw.githubusercontent.com
4	discord.com
23	discord.com
43	raw.githubusercontent.com
57	discord.com
90	discord.com

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File created	C:\Program Files\Genshin Impact\languages\de-de.qm	7z.exe
File created	C:\Program Files\Genshin Impact\languages\vi-vn.qm	7z.exe
File opened for modification	C:\Program Files\Genshin Impact\api-ms-win-core-sysinfo-l1-1-0.dll	7z.exe
File opened for modification	C:\Program Files\Genshin Impact\updateProgram\7z.dll	7z.exe
File created	C:\Program Files\Genshin Impact\updateProgram\libeay32.dll	7z.exe
File opened for modification	C:\Program Files\Genshin Impact\languages	7z.exe
File opened for modification	C:\Program Files\Genshin Impact\languages\tr-tr.qm	7z.exe
File created	C:\Program Files\Genshin Impact\translations\qtwebengine_locales\de.pak	7z.exe
File opened for modification	C:\Program Files\Genshin Impact\translations\qtwebengine_locales\lv.pak	7z.exe
File created	C:\Program Files\Genshin Impact\translations\qt_he.qm	7z.exe
File opened for modification	C:\Program Files\Genshin Impact\updateProgram\libssl-1_1-x64.dll	7z.exe
File opened for modification	C:\Program Files\Genshin Impact\updateProgram\Qt5Widgets.dll	7z.exe
File opened for modification	C:\Program Files\Genshin Impact\config.ini.gynFBc	launcher.exe
File opened for modification	C:\Program Files\Genshin Impact\translations\qtwebengine_locales\en-GB.pak	7z.exe
File opened for modification	C:\Program Files\Genshin Impact\translations\qt_fr.qm	7z.exe
File opened for modification	C:\Program Files\Genshin Impact\updateProgram\translations\qt_uk.qm	7z.exe
File created	C:\Program Files\Genshin Impact\scenegraph\qsgd3d12backend.dll	7z.exe
File created	C:\Program Files\Genshin Impact\updateProgram\imageformats\qjpeg.dll	7z.exe
File opened for modification	C:\Program Files\Genshin Impact\msvcp120.dll	7z.exe
File opened for modification	C:\Program Files\Genshin Impact\Qt5Quick.dll	7z.exe
File opened for modification	C:\Program Files\Genshin Impact\translations\qtwebengine_locales\da.pak	7z.exe
File created	C:\Program Files\Genshin Impact\api-ms-win-core-synch-l1-2-0.dll	7z.exe
File opened for modification	C:\Program Files\Genshin Impact\position\qtposition_winrt.dll	7z.exe
File opened for modification	C:\Program Files\Genshin Impact\updateProgram\imageformats\qicns.dll	7z.exe
File opened for modification	C:\Program Files\Genshin Impact\platforms	7z.exe
File created	C:\Program Files\Genshin Impact\languages\ru-ru.qm	7z.exe
File opened for modification	C:\Program Files\Genshin Impact\translations\qtwebengine_locales\bg.pak	7z.exe
File created	C:\Program Files\Genshin Impact\translations\qtwebengine_locales\fr.pak	7z.exe
File opened for modification	C:\Program Files\Genshin Impact\translations\qtwebengine_locales\nb.pak	7z.exe
File opened for modification	C:\Program Files\Genshin Impact\translations\qt_en.qm	7z.exe
File opened for modification	C:\Program Files\Genshin Impact\updateProgram\translations\qt_de.qm	7z.exe
File opened for modification	C:\Program Files\Genshin Impact\updateProgram\translations\qt_he.qm	7z.exe
File created	C:\Program Files\Genshin Impact\api-ms-win-crt-string-l1-1-0.dll	7z.exe
File opened for modification	C:\Program Files\Genshin Impact\languages\ja-jp.qm	7z.exe
File created	C:\Program Files\Genshin Impact\translations\qtwebengine_locales\uk.pak	7z.exe
File created	C:\Program Files\Genshin Impact\updateProgram\translations\qt_pl.qm	7z.exe
File opened for modification	C:\Program Files\Genshin Impact\astrolabe\crashreport\TelemetryServiceplat_apm_sdk.db-journal	crashreport.exe
File created	C:\Program Files\Genshin Impact\icudtl.dat	7z.exe
File opened for modification	C:\Program Files\Genshin Impact\translations\qtwebengine_locales\pt-PT.pak	7z.exe
File created	C:\Program Files\Genshin Impact\translations\qt_sk.qm	7z.exe
File created	C:\Program Files\Genshin Impact\api-ms-win-core-rtlsupport-l1-1-0.dll	7z.exe
File opened for modification	C:\Program Files\Genshin Impact\imageformats\qgif.dll	7z.exe
File opened for modification	C:\Program Files\Genshin Impact\uninstall.exe	7z.exe
File opened for modification	C:\Program Files\Genshin Impact\languages\ko-kr.qm	7z.exe
File opened for modification	C:\Program Files\Genshin Impact\languages\zh-cn.qm	7z.exe
File created	C:\Program Files\Genshin Impact\api-ms-win-core-sysinfo-l1-1-0.dll	7z.exe
File created	C:\Program Files\Genshin Impact\languages\ko-kr.qm	7z.exe
File created	C:\Program Files\Genshin Impact\translations\qtwebengine_locales\ja.pak	7z.exe
File created	C:\Program Files\Genshin Impact\updateProgram\translations\qt_da.qm	7z.exe
File opened for modification	C:\Program Files\Genshin Impact\updateProgram\translations\qt_pl.qm	7z.exe
File opened for modification	C:\Program Files\Genshin Impact\crashreport.exe	7z.exe
File created	C:\Program Files\Genshin Impact\translations\qtwebengine_locales\zh-TW.pak	7z.exe
File created	C:\Program Files\Genshin Impact\updateProgram\translations\qt_fi.qm	7z.exe
File created	C:\Program Files\Genshin Impact\api-ms-win-core-synch-l1-1-0.dll	7z.exe
File created	C:\Program Files\Genshin Impact\Qt5QuickWidgets.dll	7z.exe
File created	C:\Program Files\Genshin Impact\vcruntime140_1.dll	7z.exe
File created	C:\Program Files\Genshin Impact\translations\qtwebengine_locales\bg.pak	7z.exe
File opened for modification	C:\Program Files\Genshin Impact\translations\qtwebengine_locales\th.pak	7z.exe
File created	C:\Program Files\Genshin Impact\api-ms-win-core-heap-l1-1-0.dll	7z.exe
File opened for modification	C:\Program Files\Genshin Impact\api-ms-win-crt-convert-l1-1-0.dll	7z.exe
File created	C:\Program Files\Genshin Impact\api-ms-win-crt-stdio-l1-1-0.dll	7z.exe
File created	C:\Program Files\Genshin Impact\imageformats\qwebp.dll	7z.exe
File created	C:\Program Files\Genshin Impact\qmltooling\qmldbg_native.dll	7z.exe
File opened for modification	C:\Program Files\Genshin Impact\updateProgram\languages	7z.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks processor information in registry 2 TTPs 8 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	launcher.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\	launcher.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	launcher.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	GenshinImpact_install_ua_6c73f16b76b3.exe
Key queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	GenshinImpact_install_ua_6c73f16b76b3.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\	GenshinImpact_install_ua_6c73f16b76b3.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	GenshinImpact_install_ua_6c73f16b76b3.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	launcher.exe

Enumerates processes with tasklist 1 TTPs 3 IoCs

Process Discovery

T1057

pid	Process
1320	tasklist.exe
4932	tasklist.exe
1008	tasklist.exe

Enumerates system info in registry 2 TTPs 8 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	launcher.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	launcher.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	launcher.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	crashreport.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	crashreport.exe

Modifies registry class 12 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-4181651180-3163410697-3990547336-1000_Classes\hk4e-global\shell\open\command	GenshinImpact_install_ua_6c73f16b76b3.exe
Key created	\REGISTRY\USER\S-1-5-21-4181651180-3163410697-3990547336-1000_Classes\hk4e-global\shell\open	GenshinImpact_install_ua_6c73f16b76b3.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4181651180-3163410697-3990547336-1000_Classes\hk4e-global\URL Protocol = "hk4e-global"	launcher.exe
Key created	\REGISTRY\USER\S-1-5-21-4181651180-3163410697-3990547336-1000_Classes\Local Settings\MuiCache	MiniSearchHost.exe
Key created	\REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-4181651180-3163410697-3990547336-1000\{62C8F37C-2493-479E-BC64-C93D61C5093D}	msedge.exe
Key created	\REGISTRY\USER\S-1-5-21-4181651180-3163410697-3990547336-1000_Classes\hk4e-global\shell	GenshinImpact_install_ua_6c73f16b76b3.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4181651180-3163410697-3990547336-1000_Classes\hk4e-global\URL Protocol = "hk4e-global"	GenshinImpact_install_ua_6c73f16b76b3.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4181651180-3163410697-3990547336-1000_Classes\hk4e-global\UseOriginalUrlEncoding = "1"	GenshinImpact_install_ua_6c73f16b76b3.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4181651180-3163410697-3990547336-1000_Classes\hk4e-global\shell\open\command\ = "\"C:\\Program Files\\Genshin Impact\\launcher.exe\" \"--url=%1\""	GenshinImpact_install_ua_6c73f16b76b3.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4181651180-3163410697-3990547336-1000_Classes\hk4e-global\UseOriginalUrlEncoding = "1"	launcher.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4181651180-3163410697-3990547336-1000_Classes\hk4e-global\shell\open\command\ = "\"C:\\Program Files\\Genshin Impact\\launcher.exe\" \"--url=%1\""	launcher.exe
Key created	\REGISTRY\USER\S-1-5-21-4181651180-3163410697-3990547336-1000_Classes\hk4e-global	GenshinImpact_install_ua_6c73f16b76b3.exe

Modifies system certificate store 2 TTPs 3 IoCs

evasion spyware trojan

Install Root Certificate

T1553.004

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\AD7E1C28B064EF8F6003402014C3D0E3370EB58A	launcher.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\AD7E1C28B064EF8F6003402014C3D0E3370EB58A\Blob = 040000000100000010000000324a4bbbc863699bbe749ac6dd1d46240f00000001000000140000000f6aad4c3fe04619cdc8b2bd655aa1a26042e6500b000000010000005400000053007400610072006600690065006c006400200043006c00610073007300200032002000430065007200740069006600690063006100740069006f006e00200041007500740068006f007200690074007900000053000000010000004800000030463021060b6086480186fd6d0107170330123010060a2b0601040182373c0101030200c03021060b6086480186fd6e0107170330123010060a2b0601040182373c0101030200c009000000010000002a000000302806082b0601050507030206082b0601050507030306082b0601050507030406082b060105050703016200000001000000200000001465fa205397b876faa6f0a9958e5590e40fcc7faa4fb7c2c8677521fb5fb658140000000100000014000000bf5fb7d1cedd1f86f45b55acdcd710c20ea988e71d000000010000001000000090c4f4233b006b7bfaa6adcd8f577d77030000000100000014000000ad7e1c28b064ef8f6003402014c3d0e3370eb58a190000000100000010000000fd960962ac6938e0d4b0769aa1a64e262000000001000000130400003082040f308202f7a003020102020100300d06092a864886f70d01010505003068310b300906035504061302555331253023060355040a131c537461726669656c6420546563686e6f6c6f676965732c20496e632e31323030060355040b1329537461726669656c6420436c61737320322043657274696669636174696f6e20417574686f72697479301e170d3034303632393137333931365a170d3334303632393137333931365a3068310b300906035504061302555331253023060355040a131c537461726669656c6420546563686e6f6c6f676965732c20496e632e31323030060355040b1329537461726669656c6420436c61737320322043657274696669636174696f6e20417574686f7269747930820120300d06092a864886f70d01010105000382010d00308201080282010100b732c8fee971a60485ad0c1164dfce4defc80318873fa1abfb3ca69ff0c3a1dad4d86e2b5390fb24a43e84f09ee85fece52744f528a63f7bdee02af0c8af532f9eca0501931e8f661c39a74dfa5ab673042566eb777fe759c64a99251454eb26c7f37f19d530708fafb0462affadeb29edd79faa0487a3d4f989a5345fdb43918236d9663cb1b8b982fd9c3a3e10c83bef0665667a9b19183dff71513c302e5fbe3d7773b25d066cc323569a2b8526921ca702b3e43f0daf087982b8363dea9cd335b3bc69caf5cc9de8fd648d1780336e5e4a5d99c91e87b49d1ac0d56e1335235edf9b5f3defd6f776c2ea3ebb780d1c42676b04d8f8d6da6f8bf244a001ab020103a381c53081c2301d0603551d0e04160414bf5fb7d1cedd1f86f45b55acdcd710c20ea988e73081920603551d2304818a3081878014bf5fb7d1cedd1f86f45b55acdcd710c20ea988e7a16ca46a3068310b300906035504061302555331253023060355040a131c537461726669656c6420546563686e6f6c6f676965732c20496e632e31323030060355040b1329537461726669656c6420436c61737320322043657274696669636174696f6e20417574686f72697479820100300c0603551d13040530030101ff300d06092a864886f70d01010505000382010100059d3f889dd1c91a55a1ac69f3f359da9b01871a4f57a9a179092adbf72fb21eccc75e6ad88387a197ef49353e7706415862bf8e58b80a673fecb3dd21661fc954fa72cc3d4c40d881af779e837abba2c7f534178ed91140f4fc2c2a4d157fa7625d2e25d3000b201a1d68f917b8f4bd8bed2859dd4d168b1783c8b265c72d7aa5aabc53866ddd57a4caf820410b68f0f4fb74be565d7a79f5f91d85e32d95bef5719043cc8d1f9a000a8729e95522580023eae31243295b4708dd8c416a6506a8e521aa41b4952195b97dd134ab13d6adbcdce23d39cdbd3e7570a1185903c922b48f9cd55e2ad7a5b6d40a6df8b74011469a1f790e62bf0f97ece02f1f1794	launcher.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\AD7E1C28B064EF8F6003402014C3D0E3370EB58A\Blob = 5c000000010000000400000000080000190000000100000010000000fd960962ac6938e0d4b0769aa1a64e26030000000100000014000000ad7e1c28b064ef8f6003402014c3d0e3370eb58a1d000000010000001000000090c4f4233b006b7bfaa6adcd8f577d77140000000100000014000000bf5fb7d1cedd1f86f45b55acdcd710c20ea988e76200000001000000200000001465fa205397b876faa6f0a9958e5590e40fcc7faa4fb7c2c8677521fb5fb65809000000010000002a000000302806082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030153000000010000004800000030463021060b6086480186fd6d0107170330123010060a2b0601040182373c0101030200c03021060b6086480186fd6e0107170330123010060a2b0601040182373c0101030200c00b000000010000005400000053007400610072006600690065006c006400200043006c00610073007300200032002000430065007200740069006600690063006100740069006f006e00200041007500740068006f00720069007400790000000f00000001000000140000000f6aad4c3fe04619cdc8b2bd655aa1a26042e650040000000100000010000000324a4bbbc863699bbe749ac6dd1d46242000000001000000130400003082040f308202f7a003020102020100300d06092a864886f70d01010505003068310b300906035504061302555331253023060355040a131c537461726669656c6420546563686e6f6c6f676965732c20496e632e31323030060355040b1329537461726669656c6420436c61737320322043657274696669636174696f6e20417574686f72697479301e170d3034303632393137333931365a170d3334303632393137333931365a3068310b300906035504061302555331253023060355040a131c537461726669656c6420546563686e6f6c6f676965732c20496e632e31323030060355040b1329537461726669656c6420436c61737320322043657274696669636174696f6e20417574686f7269747930820120300d06092a864886f70d01010105000382010d00308201080282010100b732c8fee971a60485ad0c1164dfce4defc80318873fa1abfb3ca69ff0c3a1dad4d86e2b5390fb24a43e84f09ee85fece52744f528a63f7bdee02af0c8af532f9eca0501931e8f661c39a74dfa5ab673042566eb777fe759c64a99251454eb26c7f37f19d530708fafb0462affadeb29edd79faa0487a3d4f989a5345fdb43918236d9663cb1b8b982fd9c3a3e10c83bef0665667a9b19183dff71513c302e5fbe3d7773b25d066cc323569a2b8526921ca702b3e43f0daf087982b8363dea9cd335b3bc69caf5cc9de8fd648d1780336e5e4a5d99c91e87b49d1ac0d56e1335235edf9b5f3defd6f776c2ea3ebb780d1c42676b04d8f8d6da6f8bf244a001ab020103a381c53081c2301d0603551d0e04160414bf5fb7d1cedd1f86f45b55acdcd710c20ea988e73081920603551d2304818a3081878014bf5fb7d1cedd1f86f45b55acdcd710c20ea988e7a16ca46a3068310b300906035504061302555331253023060355040a131c537461726669656c6420546563686e6f6c6f676965732c20496e632e31323030060355040b1329537461726669656c6420436c61737320322043657274696669636174696f6e20417574686f72697479820100300c0603551d13040530030101ff300d06092a864886f70d01010505000382010100059d3f889dd1c91a55a1ac69f3f359da9b01871a4f57a9a179092adbf72fb21eccc75e6ad88387a197ef49353e7706415862bf8e58b80a673fecb3dd21661fc954fa72cc3d4c40d881af779e837abba2c7f534178ed91140f4fc2c2a4d157fa7625d2e25d3000b201a1d68f917b8f4bd8bed2859dd4d168b1783c8b265c72d7aa5aabc53866ddd57a4caf820410b68f0f4fb74be565d7a79f5f91d85e32d95bef5719043cc8d1f9a000a8729e95522580023eae31243295b4708dd8c416a6506a8e521aa41b4952195b97dd134ab13d6adbcdce23d39cdbd3e7570a1185903c922b48f9cd55e2ad7a5b6d40a6df8b74011469a1f790e62bf0f97ece02f1f1794	launcher.exe

NTFS ADS 4 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Local\Temp\Genshin Impact-zpHYSP\install_tmp\:Zone.Identifier:$DATA	GenshinImpact_install_ua_6c73f16b76b3.exe
File opened for modification	C:\Users\Admin\Downloads\Unconfirmed 913993.crdownload:SmartScreen	msedge.exe
File opened for modification	C:\Users\Admin\Downloads\GenshinImpact_install_ua_6c73f16b76b3.exe:Zone.Identifier	msedge.exe
File created	C:\Users\Admin\AppData\Local\Temp\Genshin Impact-zpHYSP\install_tmp\:SmartScreen:$DATA	GenshinImpact_install_ua_6c73f16b76b3.exe

Suspicious behavior: AddClipboardFormatListener 2 IoCs

pid	Process
1160	GenshinImpact_install_ua_6c73f16b76b3.exe
3576	launcher.exe

Suspicious behavior: EnumeratesProcesses 18 IoCs

pid	Process
412	msedge.exe
412	msedge.exe
1224	msedge.exe
1224	msedge.exe
4564	identity_helper.exe
4564	identity_helper.exe
652	msedge.exe
652	msedge.exe
1296	msedge.exe
1296	msedge.exe
392	msedge.exe
392	msedge.exe
5272	QtWebEngineProcess.exe
5272	QtWebEngineProcess.exe
4712	msedge.exe
4712	msedge.exe
4712	msedge.exe
4712	msedge.exe

Suspicious behavior: GetForegroundWindowSpam 2 IoCs

pid	Process
1160	GenshinImpact_install_ua_6c73f16b76b3.exe
3576	launcher.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 19 IoCs

pid	Process
1224	msedge.exe
1224	msedge.exe
1224	msedge.exe
1224	msedge.exe
1224	msedge.exe
1224	msedge.exe
1224	msedge.exe
1224	msedge.exe
1224	msedge.exe
1224	msedge.exe
1224	msedge.exe
1224	msedge.exe
1224	msedge.exe
1224	msedge.exe
1224	msedge.exe
1224	msedge.exe
1224	msedge.exe
1224	msedge.exe
1224	msedge.exe

Suspicious use of AdjustPrivilegeToken 13 IoCs

description	pid	Process
Token: SeDebugPrivilege	4416	Client-built.exe
Token: 33	2892	AUDIODG.EXE
Token: SeIncBasePriorityPrivilege	2892	AUDIODG.EXE
Token: SeDebugPrivilege	1320	tasklist.exe
Token: SeDebugPrivilege	4932	tasklist.exe
Token: SeDebugPrivilege	1008	tasklist.exe
Token: SeRestorePrivilege	2148	7z.exe
Token: 35	2148	7z.exe
Token: SeSecurityPrivilege	2148	7z.exe
Token: SeRestorePrivilege	4452	7z.exe
Token: 35	4452	7z.exe
Token: SeSecurityPrivilege	4452	7z.exe
Token: SeSecurityPrivilege	4452	7z.exe

Suspicious use of FindShellTrayWindow 64 IoCs

pid	Process
1224	msedge.exe
1224	msedge.exe
1224	msedge.exe
1224	msedge.exe
1224	msedge.exe
1224	msedge.exe
1224	msedge.exe
1224	msedge.exe
1224	msedge.exe
1224	msedge.exe
1224	msedge.exe
1224	msedge.exe
1224	msedge.exe
1224	msedge.exe
1224	msedge.exe
1224	msedge.exe
1224	msedge.exe
1224	msedge.exe
1224	msedge.exe
1224	msedge.exe
1224	msedge.exe
1224	msedge.exe
1224	msedge.exe
1224	msedge.exe
1224	msedge.exe
1224	msedge.exe
1224	msedge.exe
1224	msedge.exe
1224	msedge.exe
1224	msedge.exe
1224	msedge.exe
1224	msedge.exe
1224	msedge.exe
1224	msedge.exe
1224	msedge.exe
1224	msedge.exe
1224	msedge.exe
1224	msedge.exe
1224	msedge.exe
1224	msedge.exe
1224	msedge.exe
1224	msedge.exe
1224	msedge.exe
1224	msedge.exe
1224	msedge.exe
1224	msedge.exe
1224	msedge.exe
1224	msedge.exe
1224	msedge.exe
1224	msedge.exe
1224	msedge.exe
1224	msedge.exe
1224	msedge.exe
1224	msedge.exe
1224	msedge.exe
1224	msedge.exe
1224	msedge.exe
1224	msedge.exe
1224	msedge.exe
1224	msedge.exe
1224	msedge.exe
1224	msedge.exe
1224	msedge.exe
1224	msedge.exe

Suspicious use of SendNotifyMessage 18 IoCs

pid	Process
1224	msedge.exe
1224	msedge.exe
1224	msedge.exe
1224	msedge.exe
1224	msedge.exe
1224	msedge.exe
1224	msedge.exe
1224	msedge.exe
1224	msedge.exe
1224	msedge.exe
1224	msedge.exe
1224	msedge.exe
3576	launcher.exe
3576	launcher.exe
3576	launcher.exe
3576	launcher.exe
3576	launcher.exe
3576	launcher.exe

Suspicious use of SetWindowsHookEx 17 IoCs

pid	Process
1160	GenshinImpact_install_ua_6c73f16b76b3.exe
1160	GenshinImpact_install_ua_6c73f16b76b3.exe
1160	GenshinImpact_install_ua_6c73f16b76b3.exe
1160	GenshinImpact_install_ua_6c73f16b76b3.exe
2148	7z.exe
4452	7z.exe
3576	launcher.exe
3576	launcher.exe
3576	launcher.exe
3576	launcher.exe
3576	launcher.exe
5272	QtWebEngineProcess.exe
3576	launcher.exe
3576	launcher.exe
3576	launcher.exe
5840	crashreport.exe
5924	MiniSearchHost.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1224 wrote to memory of 2192	1224	msedge.exe	81
PID 1224 wrote to memory of 2192	1224	msedge.exe	81
PID 1224 wrote to memory of 3412	1224	msedge.exe	82
PID 1224 wrote to memory of 3412	1224	msedge.exe	82
PID 1224 wrote to memory of 3412	1224	msedge.exe	82
PID 1224 wrote to memory of 3412	1224	msedge.exe	82
PID 1224 wrote to memory of 3412	1224	msedge.exe	82
PID 1224 wrote to memory of 3412	1224	msedge.exe	82
PID 1224 wrote to memory of 3412	1224	msedge.exe	82
PID 1224 wrote to memory of 3412	1224	msedge.exe	82
PID 1224 wrote to memory of 3412	1224	msedge.exe	82
PID 1224 wrote to memory of 3412	1224	msedge.exe	82
PID 1224 wrote to memory of 3412	1224	msedge.exe	82
PID 1224 wrote to memory of 3412	1224	msedge.exe	82
PID 1224 wrote to memory of 3412	1224	msedge.exe	82
PID 1224 wrote to memory of 3412	1224	msedge.exe	82
PID 1224 wrote to memory of 3412	1224	msedge.exe	82
PID 1224 wrote to memory of 3412	1224	msedge.exe	82
PID 1224 wrote to memory of 3412	1224	msedge.exe	82
PID 1224 wrote to memory of 3412	1224	msedge.exe	82
PID 1224 wrote to memory of 3412	1224	msedge.exe	82
PID 1224 wrote to memory of 3412	1224	msedge.exe	82
PID 1224 wrote to memory of 3412	1224	msedge.exe	82
PID 1224 wrote to memory of 3412	1224	msedge.exe	82
PID 1224 wrote to memory of 3412	1224	msedge.exe	82
PID 1224 wrote to memory of 3412	1224	msedge.exe	82
PID 1224 wrote to memory of 3412	1224	msedge.exe	82
PID 1224 wrote to memory of 3412	1224	msedge.exe	82
PID 1224 wrote to memory of 3412	1224	msedge.exe	82
PID 1224 wrote to memory of 3412	1224	msedge.exe	82
PID 1224 wrote to memory of 3412	1224	msedge.exe	82
PID 1224 wrote to memory of 3412	1224	msedge.exe	82
PID 1224 wrote to memory of 3412	1224	msedge.exe	82
PID 1224 wrote to memory of 3412	1224	msedge.exe	82
PID 1224 wrote to memory of 3412	1224	msedge.exe	82
PID 1224 wrote to memory of 3412	1224	msedge.exe	82
PID 1224 wrote to memory of 3412	1224	msedge.exe	82
PID 1224 wrote to memory of 3412	1224	msedge.exe	82
PID 1224 wrote to memory of 3412	1224	msedge.exe	82
PID 1224 wrote to memory of 3412	1224	msedge.exe	82
PID 1224 wrote to memory of 3412	1224	msedge.exe	82
PID 1224 wrote to memory of 3412	1224	msedge.exe	82
PID 1224 wrote to memory of 412	1224	msedge.exe	83
PID 1224 wrote to memory of 412	1224	msedge.exe	83
PID 1224 wrote to memory of 4156	1224	msedge.exe	84
PID 1224 wrote to memory of 4156	1224	msedge.exe	84
PID 1224 wrote to memory of 4156	1224	msedge.exe	84
PID 1224 wrote to memory of 4156	1224	msedge.exe	84
PID 1224 wrote to memory of 4156	1224	msedge.exe	84
PID 1224 wrote to memory of 4156	1224	msedge.exe	84
PID 1224 wrote to memory of 4156	1224	msedge.exe	84
PID 1224 wrote to memory of 4156	1224	msedge.exe	84
PID 1224 wrote to memory of 4156	1224	msedge.exe	84
PID 1224 wrote to memory of 4156	1224	msedge.exe	84
PID 1224 wrote to memory of 4156	1224	msedge.exe	84
PID 1224 wrote to memory of 4156	1224	msedge.exe	84
PID 1224 wrote to memory of 4156	1224	msedge.exe	84
PID 1224 wrote to memory of 4156	1224	msedge.exe	84
PID 1224 wrote to memory of 4156	1224	msedge.exe	84
PID 1224 wrote to memory of 4156	1224	msedge.exe	84
PID 1224 wrote to memory of 4156	1224	msedge.exe	84
PID 1224 wrote to memory of 4156	1224	msedge.exe	84
PID 1224 wrote to memory of 4156	1224	msedge.exe	84
PID 1224 wrote to memory of 4156	1224	msedge.exe	84

C:\Users\Admin\AppData\Local\Temp\Client-built.exe
"C:\Users\Admin\AppData\Local\Temp\Client-built.exe"
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:4416

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --profile-directory=Default
1⤵
- Enumerates system info in registry
- NTFS ADS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:1224
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=90.0.4430.212 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=90.0.818.66 --initial-client-data=0x100,0x104,0x108,0xdc,0x10c,0x7ffd4a753cb8,0x7ffd4a753cc8,0x7ffd4a753cd8
  2⤵
  PID:2192
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1908,1241283301227593626,5146911555071623523,131072 --gpu-preferences=SAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=1920 /prefetch:2
  2⤵
  PID:3412
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1908,1241283301227593626,5146911555071623523,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2300 /prefetch:3
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:412
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1908,1241283301227593626,5146911555071623523,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2772 /prefetch:8
  2⤵
  PID:4156
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1908,1241283301227593626,5146911555071623523,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3248 /prefetch:1
  2⤵
  PID:3704
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1908,1241283301227593626,5146911555071623523,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3272 /prefetch:1
  2⤵
  PID:948
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1908,1241283301227593626,5146911555071623523,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4036 /prefetch:1
  2⤵
  PID:2492
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1908,1241283301227593626,5146911555071623523,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4924 /prefetch:1
  2⤵
  PID:4644
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1908,1241283301227593626,5146911555071623523,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4684 /prefetch:1
  2⤵
  PID:2336
- C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=1908,1241283301227593626,5146911555071623523,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3680 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:4564
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1908,1241283301227593626,5146911555071623523,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5140 /prefetch:1
  2⤵
  PID:232
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1908,1241283301227593626,5146911555071623523,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5484 /prefetch:1
  2⤵
  PID:1832
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1908,1241283301227593626,5146911555071623523,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5704 /prefetch:1
  2⤵
  PID:2280
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1908,1241283301227593626,5146911555071623523,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5400 /prefetch:1
  2⤵
  PID:2872
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=audio.mojom.AudioService --field-trial-handle=1908,1241283301227593626,5146911555071623523,131072 --lang=en-US --service-sandbox-type=audio --mojo-platform-channel-handle=3524 /prefetch:8
  2⤵
  PID:3048
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1908,1241283301227593626,5146911555071623523,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6004 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:652
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=video_capture.mojom.VideoCaptureService --field-trial-handle=1908,1241283301227593626,5146911555071623523,131072 --lang=en-US --service-sandbox-type=video_capture --mojo-platform-channel-handle=6136 /prefetch:8
  2⤵
  - Modifies registry class
  - Suspicious behavior: EnumeratesProcesses
  PID:1296
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1908,1241283301227593626,5146911555071623523,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=18 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5564 /prefetch:1
  2⤵
  PID:4184
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1908,1241283301227593626,5146911555071623523,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=20 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5492 /prefetch:1
  2⤵
  PID:2348
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=1908,1241283301227593626,5146911555071623523,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=5572 /prefetch:8
  2⤵
  PID:3308
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1908,1241283301227593626,5146911555071623523,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=22 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6488 /prefetch:1
  2⤵
  PID:4708
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1908,1241283301227593626,5146911555071623523,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=23 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6496 /prefetch:1
  2⤵
  PID:2100
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1908,1241283301227593626,5146911555071623523,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=24 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6436 /prefetch:1
  2⤵
  PID:4868
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1908,1241283301227593626,5146911555071623523,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=25 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6448 /prefetch:1
  2⤵
  PID:4660
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1908,1241283301227593626,5146911555071623523,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=27 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6492 /prefetch:1
  2⤵
  PID:4520
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=1908,1241283301227593626,5146911555071623523,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6668 /prefetch:8
  2⤵
  - NTFS ADS
  - Suspicious behavior: EnumeratesProcesses
  PID:392
- C:\Users\Admin\Downloads\GenshinImpact_install_ua_6c73f16b76b3.exe
  "C:\Users\Admin\Downloads\GenshinImpact_install_ua_6c73f16b76b3.exe"
  2⤵
  - Executes dropped EXE
  - Checks processor information in registry
  - Modifies registry class
  - NTFS ADS
  - Suspicious behavior: AddClipboardFormatListener
  - Suspicious behavior: GetForegroundWindowSpam
  - Suspicious use of SetWindowsHookEx
  PID:1160
- - C:\Windows\SYSTEM32\tasklist.exe
    tasklist /FI "imagename eq crashreport.exe"
    3⤵
    - Enumerates processes with tasklist
    - Suspicious use of AdjustPrivilegeToken
    PID:1320
- - C:\Windows\SYSTEM32\tasklist.exe
    tasklist /FI "imagename eq launcher.exe"
    3⤵
    - Enumerates processes with tasklist
    - Suspicious use of AdjustPrivilegeToken
    PID:4932
- - C:\Windows\SYSTEM32\tasklist.exe
    tasklist /FI "imagename eq QtWebEngineProcess.exe"
    3⤵
    - Enumerates processes with tasklist
    - Suspicious use of AdjustPrivilegeToken
    PID:1008
- - C:\Users\Admin\AppData\Local\Temp\Genshin Impact-zpHYSP\7z.exe
    7z.exe l "C:/Users/Admin/AppData/Local/Temp/Genshin Impact-zpHYSP/app.7z"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of SetWindowsHookEx
    PID:2148
- - C:\Users\Admin\AppData\Local\Temp\Genshin Impact-zpHYSP\7z.exe
    7z.exe x "C:/Users/Admin/AppData/Local/Temp/Genshin Impact-zpHYSP/app.7z" "-oC:\Program Files\Genshin Impact" -aoa -bsp1
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Drops file in Program Files directory
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of SetWindowsHookEx
    PID:4452
- - C:\Program Files\Genshin Impact\launcher.exe
    "C:\Program Files\Genshin Impact\launcher.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Drops file in Program Files directory
    - Checks processor information in registry
    - Enumerates system info in registry
    - Modifies registry class
    - Modifies system certificate store
    - Suspicious behavior: AddClipboardFormatListener
    - Suspicious behavior: GetForegroundWindowSpam
    - Suspicious use of SendNotifyMessage
    - Suspicious use of SetWindowsHookEx
    PID:3576
  - - C:\Program Files\Genshin Impact\QtWebEngineProcess.exe
      "C:\Program Files\Genshin Impact\QtWebEngineProcess.exe" --type=renderer --no-sandbox --disable-gpu-memory-buffer-video-frames --enable-threaded-compositing --enable-features=AllowContentInitiatedDataUrlNavigations --disable-features=MojoVideoCapture,SurfaceSynchronization,UseModernMediaControls,UseVideoCaptureApiForDevToolsSnapshots --disable-gpu-compositing --service-pipe-token=11879974683365422341 --lang=en-US --webengine-schemes=qrc:sLV --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --service-request-channel-token=11879974683365422341 --renderer-client-id=2 --mojo-platform-channel-handle=2452 /prefetch:1
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of SetWindowsHookEx
      PID:5272
  - - C:\Program Files\Genshin Impact\crashreport.exe
      "C:\Program Files\Genshin Impact\crashreport.exe" --ipc_field=eyJjb21tb25fY29uZmlnIjoie1wiYXBwX2lkXCI6XCJwbGF0X1dpbmRvd3NfakVlOEsxblBNdFwiLFwiYXBwX3ZlcnNpb25cIjpcIjIuMzEuMC4wXCIsXCJhcmVhXCI6XCJvc1wiLFwiY2hhbm5lbFwiOlwibGF1bmNoZXJcIixcImNvbXBpbGVfdHlwZVwiOlwicmVsZWFzZVwiLFwiZGV2aWNlX2lkXCI6XCJiZGMyNTlhODFlZTc1OTAyZWJhMjAyY2RlODMzMTBcIixcImVuZ2luZV90eXBlXCI6XCJVbml0eVwiLFwibGlmZWN5Y2xlX2lkXCI6XCI2OGFiNzc5YWZmNWFhMDNlNmIyZTVlZjllMWY4NjNcIixcInBhY2thZ2VfbmFtZVwiOlwiR2Vuc2hpbiBJbXBhY3RfNmQ4MjlhODQxNzAxMzEzNjA4XCIsXCJyZWdpb25cIjpcIlwiLFwic3ltYm9sX2lkXCI6XCJHZW5zaGluIEltcGFjdF82ZDgyOWE4NDE3MDEzMTM2MDhcIixcInVzZXJfZGV2aWNlX2lkXCI6XCI1MjMzZjNiZmNlNDY0YmQ1YjVkOTcyMzdiNDU0NjJhMTE3MDk0MzAzMzA5MDRcIixcInVzZXJfaWRcIjpcIjUyMzNmM2JmY2U0NjRiZDViNWQ5NzIzN2I0NTQ2MmExMTcwOTQzMDMzMDkwNFwifSIsInJlcG9ydF9tb2RlbCI6IntcImR1bXBfZmlsZV9wYXRoXCI6XCJcIixcImR1bXBfcGF0aFwiOlwiQzovUHJvZ3JhbSBGaWxlcy9HZW5zaGluIEltcGFjdC9kbXBcIixcImxvZ19kZXN0XCI6MCxcImxvZ19sZXZlbFwiOjAsXCJtYXhfcmV0cnlfY291bnRcIjozLFwicGx1Z2luX3ZhbHVlXCI6e1wiQ3Jhc2hUeXBlXCI6XCJcIixcIkZpbGVFeGlzdHNcIjp0cnVlLFwiRnJlZURpc2tTaXplXCI6XCIyMDg2MDQ0ODc2OFwiLFwiRnJlZU1lbW9yeVwiOlwiMjA3MDAyODI4OFwiLFwiTmV0V29ya1wiOlwiXCIsXCJTeW1ib2xJZFwiOlwiR2Vuc2hpbiBJbXBhY3RfNmQ4MjlhODQxNzAxMzEzNjA4XCIsXCJVc2VEdXJhdGlvblNlY29uZHNcIjpcIlwifSxcInJlbWFpbl9maWxlXCI6ZmFsc2UsXCJyZXBvcnRfZW52XCI6XCJyZWxlYXNlXCIsXCJzdWJwcm9jZXNzX2ZpbGVcIjpcIlwifSIsInN0YXJ0X21vZGUiOjEsIndvcmtpbmdfZGlyIjoiQzpcXFByb2dyYW0gRmlsZXNcXEdlbnNoaW4gSW1wYWN0XFxhc3Ryb2xhYmUifQ==
      4⤵
      Executes dropped EXE
      Drops file in Program Files directory
      Enumerates system info in registry
      Suspicious use of SetWindowsHookEx
      PID:5840
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1908,1241283301227593626,5146911555071623523,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=29 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=1284 /prefetch:1
  2⤵
  PID:392
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1908,1241283301227593626,5146911555071623523,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=30 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=1696 /prefetch:1
  2⤵
  PID:4596
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1908,1241283301227593626,5146911555071623523,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=31 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7028 /prefetch:1
  2⤵
  PID:1032
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1908,1241283301227593626,5146911555071623523,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.22000.1 --gpu-preferences=SAAAAAAAAADoAAAwAAAAAAAAAAAAAAAAAABgAAAQAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=6260 /prefetch:2
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:4712
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_collections.mojom.CollectionsDataManager --field-trial-handle=1908,1241283301227593626,5146911555071623523,131072 --lang=en-US --service-sandbox-type=collections --mojo-platform-channel-handle=6468 /prefetch:8
  2⤵
  PID:4708

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:2540

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:4028

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x00000000000004E4 0x00000000000004C4
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:2892

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s NPSMSvc
1⤵
PID:3888

C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\MiniSearchHost.exe
"C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\MiniSearchHost.exe" -ServerName:MiniSearchUI.AppXj3y73at8fy1htwztzxs68sxx1v7cksp7.mca
1⤵
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:5924

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Subvert Trust Controls

T1553

Install Root Certificate

T1553.004

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Process Discovery

T1057

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files\Genshin Impact\MHYQtCommon.dll

Filesize
2.3MB

MD5
0d067ef5972172130a8f4f2e2050297b

SHA1
59740e5828d6f378657685c282c7fe52ced87a7d

SHA256
d669e42a993b7ff7e9a8de625c9017e2ccc06832ccbb97f1b271c62f1a38ffba

SHA512
b46ae6c0e07dbfe9aec7bc6818a06c73ab0a4a131cd50d9ccaf6f39ea26c2c272a387969be7cd33ded02186d1149c33ab9191dc482a781ff8627fa51183d0100

Download Submit
C:\Program Files\Genshin Impact\MHYQtCommon.dll

Filesize
3.2MB

MD5
4d8d5328f8593bf5497ec6abd6398185

SHA1
24501389a5f0b3942e2edbc06f142cc493d55d17

SHA256
1fed977b76a2ee1535913a3ef3e25e82c41cfaaa4894f24005e113de3d734904

SHA512
c875244337a95e5c999b5c1188e62ac21e1600d779621db7a27c3c4b903c300bda0867c17e2474aa300fc4a8c0e6f7edd4bd5b2883813411fde789d454d918d3

Download Submit
C:\Program Files\Genshin Impact\Qt5Core.dll

Filesize
1.9MB

MD5
a58cb4fa1ddaa8a1321b6063069992e1

SHA1
061662a8145c13369775346ea12ba2b085ff6114

SHA256
a29ea633a94f6408665d8d82cd106de7d38e3e26e5a92c343bd8232eed3d52ca

SHA512
c0471ad4e24eed34a17447a69a599bbd0ed2202f56c253a831a600f2d54870dafada9965224958703c89fd2f7524e0659d422390853f1b3984cd716850af4345

Download Submit
C:\Program Files\Genshin Impact\Qt5Core.dll

Filesize
2.2MB

MD5
3d1c0517daeaa5aa608bb48d79f4e187

SHA1
ee0aff0bbf158c9c98090cfdcfd581bac9f37002

SHA256
4c754b2fa9ac14b289d44eb97e5f6dd2b572da9091a9e6782c2558261c31ec94

SHA512
7872fe5aa7df5735ac299ae3eb86bff9a125df18463108b124916101b23431132f2da0375f9ac7bae4894d0ac2255997703070cb02a99578c5513f2c2e6543c6

Download Submit
C:\Program Files\Genshin Impact\Qt5Gui.dll

Filesize
2.5MB

MD5
b77e47fd6c1321d531f2afb863447794

SHA1
aae61e04fc1b2989a236a1ad3ccacde098170b8c

SHA256
4f38abbf26252e2f19ea51cbe0b1d2f002abe2a716f732e45df8cdf54273f6e4

SHA512
91ddb6cc35fe92c74e21f89bd544143ecb20fe6403269bc376d8aabcc8ab7739c2297425596a2d669963978199ddd53a5fa4244132a635b61d59f36b982ab73f

Download Submit
C:\Program Files\Genshin Impact\Qt5Gui.dll

Filesize
2.1MB

MD5
31350f884ddc9f37ab0063e38691960b

SHA1
0f511762fe172830d0362440796b7eb3f20f8eca

SHA256
e6e02929a26f020235226527aca0d9b5fffa798fbc3bb0255b0e614bf724d0e7

SHA512
e877f0a1b743af3a68074cb758b9a7a96080f2e00767e3138117be1fa0fd6295683515eedd25e06b9a5569ab8219fef27db553175e7f9eb6c3f28a01bec1163b

Download Submit
C:\Program Files\Genshin Impact\Qt5Network.dll

Filesize
1.3MB

MD5
cc214788c1659b6589cfe627ae10d348

SHA1
68ff3d326943c5405be5c509415db54e9eeeb287

SHA256
6b9df21f01d278608e3f5376e2cbb6933d9ebc560b3722d39148151840a8237c

SHA512
009dfda81c4b9a29a645593bed3dc52e2eff2063bae6426689bdd1c4bbac4a87e1f1c89dbff27a12fb3007749c1bdd4cd0acf2150a6dda0744e17e62fdea8e0b

Download Submit
C:\Program Files\Genshin Impact\Qt5PrintSupport.dll

Filesize
331KB

MD5
6bb48bf938f34bae011916d8f91ecc43

SHA1
0d578b6c9556a8355c4932f3c672c1c312764f2b

SHA256
bca34de929ccc4cff0212efef1cbfa1bdc857f4884979d8c6ac3a4646f3457f6

SHA512
bea64e4e30ac955f9ee22e65d2135093bbef0f4ced1242844cb82bebf0a43530a31b7a272ffaa7d7e1f48127950e367e7aa93559d6309ba5c606ede5bd13a4bc

Download Submit
C:\Program Files\Genshin Impact\Qt5Quick.dll

Filesize
2.6MB

MD5
4a608e0d7446fba2abdd9d61605c2632

SHA1
b19f2103995668de18b613c31fe98bacd9b93299

SHA256
34885b87e56f47d27dce17343d3ab17a326287bf278695b616b412b69229d77f

SHA512
fa06196c180cf38d92a69033f090949885e36f49fefb712650790f4ba8ab915e20095f05f255e27afc757e688227fc84c9315033c99bcf44b07f8799947ff46a

Download Submit
C:\Program Files\Genshin Impact\Qt5Quick.dll

Filesize
2.8MB

MD5
88a8fe2df260c07e9c3b5f4affbf8002

SHA1
39785cb806047538cd56deb975d2dd435848b762

SHA256
debd8babf12867eadb3123f7c360c96f996446b617820a5897385cbd4d3bbfa0

SHA512
6e6944d23275797da9f21d17babba6211b141acaabd7ac1e55a08781a9b5ed9d429f86c19e6940bbc4ca0f7399c80e7a5102a193570b264d98334f5847c3df78

Download Submit
C:\Program Files\Genshin Impact\Qt5QuickWidgets.dll

Filesize
92KB

MD5
bff3879b9daf123fcd1200521b23ae9a

SHA1
0758acd6d14d56f25ad2b701247cd644905d2659

SHA256
ca1bfa459f521da61d2f1bb5d20e2f31bcc935149ac317873227c85e28006a32

SHA512
08bf6447c3ddb89b300dfa7504c71e816bd538dbae2f042c44828c694575e268b465f18854f7a4722f80cbf380b84ed1a14c1acc41a54fa7f633b6203c562765

Download Submit
C:\Program Files\Genshin Impact\Qt5WebChannel.dll

Filesize
134KB

MD5
7d09625e4f8ff294f5827a29ffbd882d

SHA1
92dcaf3fff3c44cbe8c168e7609ff2ae5514e419

SHA256
67cf1104d5bcce62b4e8ce0f747ca7c8b3906d69f8d508c277e046fd76de42ac

SHA512
4f0ea8c44bbdc5b16cdb04425f65bad227a37488276ac52300c2690803927c34bee11258163c9911431dab70313fd8d44e248be5efad005875120f90d5d24315

Download Submit
C:\Program Files\Genshin Impact\Qt5WebEngineCore.dll

Filesize
3.0MB

MD5
d35a0a18785aad702c0bb0a1247b6532

SHA1
882f036b9ea34740ccdbce1aa5e5a3e08209d4ad

SHA256
96f3a59c46b95ae24a27a4643cab7d259415f8de501d44f01b5d36be40db9283

SHA512
d1447624b91614278f4954c82a7f7c9b1c7a597dec95405425327d2c7668449c32c33e5bf8d84bf23d767f2a6b676069609ce397de85ea96010c8774b77ce43b

Download Submit
C:\Program Files\Genshin Impact\Qt5WebEngineCore.dll

Filesize
2.1MB

MD5
fe05871b6e35d6227be3219d1ee4c8ba

SHA1
3c1e0bda22ceedc10fb600e07e27c47a5cd387c8

SHA256
2f03942346257512d2b12fa9a21cb8380d75a9425065e904ac5a9e127e6067eb

SHA512
275073377458787eb90e12991f64217a2b4ff79c1bc8f0763afa322f851a3a35bfac013562f9cefba53de7aab5d513bc15a3ef12a331fb4c3cfdd54eab574963

Download Submit
C:\Program Files\Genshin Impact\Qt5WebEngineWidgets.dll

Filesize
241KB

MD5
64ed5b188277a9df79cd0d0caa82fa00

SHA1
fa1b4edca83bff5aea9797ec1b38e9b849394bb1

SHA256
a38d8655ae6f01b03e3b1bc8332ff8296fa579be8c8b05d6a627ac9fb43aa50a

SHA512
62af933f68d1977b63f756c86a5bbc7c7e83f5257be5b9ff5a9dabdc7b1431180ce6b6bb389f9fcc1828e0f795985f195d47ed9e05c440b971f0841ae7cb365f

Download Submit
C:\Program Files\Genshin Impact\Qt5Widgets.dll

Filesize
2.9MB

MD5
d0a3aa8c4131939af92dd6053a3f92df

SHA1
5fcba19de4bdb7a821a00a28810c29896b9899a9

SHA256
7be18675ac9f657d32771b76c355f502f51809e72f639c05def8a817efbd85d1

SHA512
796ff9d4880b6226ca1adbefc00480f1ffc6030d64716a0f8663bce72851bdcad5061653b432ae319be97e6b85beb4f669ffbe005e896a2d28b053d7d4fc5fa6

Download Submit
C:\Program Files\Genshin Impact\Qt5Widgets.dll

Filesize
3.1MB

MD5
5230ba9b7a6ad5b85ce1b6e215fc8070

SHA1
8d1bffb839aee74105477843393a6382c7350f89

SHA256
1f8d2d32d7419c5e17e91583f2eb43f6999af9d4a91f2ed77a0ff7295fd0530b

SHA512
1ad2a27e0572bc8fbff057b91e8f3a72e30fc7bb9c55c82cb82e8b08ad289d623da2cdb006a2c2a335df938bf4a6155ad80071c5ebcc7c9de23e83c36372273a

Download Submit
C:\Program Files\Genshin Impact\astrolabe\Preferences

Filesize
83B

MD5
02148eee295bfdac6e1548d85e91323b

SHA1
50435b17d2303ea044bbd58ea1e869f58edf92b3

SHA256
a90c1952d828051460cd42213ab45ef546ed7c06a6a65fd550dea9f9445a2320

SHA512
c8fea297e3a5e548a6500b1422e4f2d64783783c3899caba8f73fbf7327f7370fbe328a981c09057312dbd4f5f174e562d777c222b86aae76287165d57839f0b

Download Submit
C:\Program Files\Genshin Impact\astrolabe\Preferences~RFe58e9de.TMP

Filesize
34B

MD5
a3e875b4a94923036c6f6c3bdb846135

SHA1
7af9eee8740a83c6880ed1269c4fd0f0c45e1433

SHA256
153b608757afe9413390d8c4139dc95896a12549e6da586b500f56eb170b3c93

SHA512
df6d214d30f380fb6b7cd89f4a2ce853c44de0c09483c40179d804909283b5a95ae6159fe21bdf2413bb668fdc53240d5b1519e15340736daadbefb44e860b7b

Download Submit
C:\Program Files\Genshin Impact\bg\f0da204d4b20ca4cb298355aaa5eae89_222990510567039803.png

Filesize
823KB

MD5
f0da204d4b20ca4cb298355aaa5eae89

SHA1
47fbc526dbd02ab8cead1435930120a0cf015367

SHA256
24e653630f9b18a0e37ab227bd8a62974ecdc2fe5d4eecfe4916654aa83e32a8

SHA512
cc6d1df7f6d0fa80b99cc09c85fecc659eb6b3cffb3bb3dc534186e0562ad43bb43ad6a56cdbe282e5c7a1957a93750f9bfd79b69af638e1830ac553462e50b0

Download Submit
C:\Program Files\Genshin Impact\config.ini.lock

Filesize
61B

MD5
91b3410ca82535064127faa102b1d5d2

SHA1
e29b2a52214a5f7f37471cc4e87dd7b0e46e8bcc

SHA256
45f8865979f1174898f513f3a39d54ec79e4029e144b414909cbd2ce15c835a5

SHA512
2e57fb73062758a3bdf684bf234e862fe43727c235f041dbdbe020b04d357b7f5bdd5c930bd54d0a67c929fc16091c4df3bf50787f50a946ae3714d8294aa247

Download Submit
C:\Program Files\Genshin Impact\launcher.exe

Filesize
3.4MB

MD5
70106ec5fdd2eb9b28ffdf1f4a409bc2

SHA1
df78a6f6b4b0af8948d5751ed92bd14e487f2613

SHA256
222441930a759e72f5875abe9092ac5b72de5875f027f869c991b1e5f5c12261

SHA512
56fc6d4684ce5fc9ee04212aced84174e0b0817c33017998e09b9d5916d7181e4f130b5161de5590e2847f418afca6a0b1b9786591b92beb3d738110fc35476f

Download Submit
C:\Program Files\Genshin Impact\launcher.exe

Filesize
2.5MB

MD5
e4253b97a4918873b2d5798d61cba70e

SHA1
f7c1b3df970ca3e8d62843408f774a7c9f082ea4

SHA256
927202903de16f0d2cbcac6e0d190b940778ff6758ecacb2995906e1930e5e26

SHA512
0f021653412d053db371f2f277e3f12d99ba54ebb7ce534199645b6e2139210c25d25f086fc235868f0733c926610c25a7866ecc40ec577d7934be07fcbd8158

Download Submit
C:\Program Files\Genshin Impact\msvcp140.dll

Filesize
580KB

MD5
62a538f342ff490ddf5b7c7d354e36bf

SHA1
b166ed0fd43f054b59f1843d4b1af336810f8832

SHA256
1345b1f74cf1dd3677bcf3499462714795788eaaa20b9702cdc7baafa4beaf8d

SHA512
598907ab4e37a0092a1f651215a7581ad0d0281e6511c06408ad0f93af65892876e4075c73063da0772cc962bacf5900d862a805384887ea5daf52490e5ff51a

Download Submit
C:\Program Files\Genshin Impact\telemetry\telemetry\Preferences

Filesize
82B

MD5
1683badecaa052a4322db8915abae174

SHA1
9bf1c74db31db6ace3ba7be49f8aeb37355ba2ca

SHA256
aca2a3a6a3ec27a75898325cbf295d0ae7af3135d5c8607eec103ad6d70a0f13

SHA512
4383c61ffc9387effa3d8eb7910d0459259e810fed5a3e022525ede87ec8e6bd97f9f2f3494d1d88041380f7b76504e915d7264179b554d8e431788d57f56a6b

Download Submit
C:\Program Files\Genshin Impact\telemetry\telemetry\Preferences~RFe5910de.TMP

Filesize
61B

MD5
c382195498dab55246e1139a111e7e83

SHA1
735e780a835f2455b0f38f773fa30131c63abd73

SHA256
81149b9abbb8476811b63457ef519ad0b4fd7b740972a827afa368d4f9ca6a15

SHA512
56ec62ba153f8e1cefa5491f9a5ec7a20b84879b928107ae901e8f816ab990c686896b00dbe4696f31ac32439479addf75d5af30e201c1ab1f221c9b27e6e736

Download Submit
C:\Program Files\Genshin Impact\uninstall.exe

Filesize
3.4MB

MD5
ef4abd3f33040cf38b90441df92b6b63

SHA1
0bb3f86e74906f4e61a3687c2b2b00c81e08724d

SHA256
562d064416f2cac751de123f1c50377aeef2d45f427af0cdd60a6870a7d74e61

SHA512
7706b8a9103bbd03c9282e6a8e84518820558af4ce4d5ba2de27a78f3698471e28a239045b8e59da7e4d402f2db3dd0015a614a839788fb36ef8d97978dc622e

Download Submit
C:\Program Files\Genshin Impact\vcruntime140.dll

Filesize
106KB

MD5
d0df1bac72398d794bec867bffcd0ddf

SHA1
1c6a1f62fd07cccb7461a39178d7afcba4b0eba9

SHA256
70661f44e0f9a2bb17ceaa2b798486b6a05feeb3eb8a41a94919d71720334051

SHA512
584fa39037af9d716c45e228ff7710a7ea61ae449b95a8d7efe5578692555a502be6b2f490a6b161fb42f45af9f30f786390722c29bcac20c28f9348da24157b

Download Submit
C:\Users\Admin\AppData\Local\HoYoverse\Genshin Impact\QtWebEngine\Default\Service Worker\Database\CURRENT

Filesize
16B

MD5
46295cac801e5d4857d09837238a6394

SHA1
44e0fa1b517dbf802b18faf0785eeea6ac51594b

SHA256
0f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443

SHA512
8969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23

Download Submit
C:\Users\Admin\AppData\Local\HoYoverse\Genshin Impact\QtWebEngine\Default\Service Worker\Database\MANIFEST-000001

Filesize
41B

MD5
5af87dfd673ba2115e2fcf5cfdb727ab

SHA1
d5b5bbf396dc291274584ef71f444f420b6056f1

SHA256
f9d31b278e215eb0d0e9cd709edfa037e828f36214ab7906f612160fead4b2b4

SHA512
de34583a7dbafe4dd0dc0601e8f6906b9bc6a00c56c9323561204f77abbc0dc9007c480ffe4092ff2f194d54616caf50aecbd4a1e9583cae0c76ad6dd7c2375b

Download Submit
C:\Users\Admin\AppData\Local\HoYoverse\Genshin Impact\QtWebEngine\Default\Service Worker\ScriptCache\index-dir\temp-index

Filesize
72B

MD5
6ffd37b5d0f465124fff4bcc1ab7783c

SHA1
a0d039fdb7bec8d3d5b32558a23ce8da6b0878f3

SHA256
0e0045279b2d8abd16ede581e870977c7bbd3861ab58f8b10e582e89705ebaaf

SHA512
bc85ebf0342bd91fcd5f15b3feedb593c12d58b5487f187dfd8b148fec92357a101eeb0e7d1e9ad4df063b825e3faa84185c07f380642577e0274d19b1c20c97

Download Submit
C:\Users\Admin\AppData\Local\HoYoverse\Genshin Impact\QtWebEngine\Default\Service Worker\ScriptCache\index-dir\temp-index

Filesize
72B

MD5
6df4d5496679090e7eb522b3ceb84382

SHA1
36cf9a80476dc52fdc6379d6a392ea6fdb1c1bea

SHA256
3a688a7859e65fed19f6bf387a62dfc885d8218eeb6aa174925d6af71e99bbfd

SHA512
04bf0e3b45f2a3099caaf94af9bd2796bcc1015fa194dc49b9bb16743b0534936e333ec6364de579a385bceecc0c393c1ad7a357f44668dbb074fb01c624a422

Download Submit
C:\Users\Admin\AppData\Local\HoYoverse\Genshin Impact\QtWebEngine\Default\Service Worker\ScriptCache\index-dir\the-real-index~RFe595431.TMP

Filesize
48B

MD5
8a6092eb45bf8ed1f7861ee0c86c31d3

SHA1
b9246c2234c1b02ce2e0cc13464e55839e13f0b7

SHA256
8b606e94976a9ce8ca4699a2e10a60bef9c44c52e09c71c43af1cf0aaf833cba

SHA512
8845ae16ec77d94ec441dc9494f33c3852c7b204dc8e509f4ca6ae64d44348640c512c9a52ec9b46da25fcea8c0bfa1473239e34604c87ad6f3f020798583e8c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
3b1e59e67b947d63336fe9c8a1a5cebc

SHA1
5dc7146555c05d8eb1c9680b1b5c98537dd19b91

SHA256
7fccd8c81f41a2684315ad9c86ef0861ecf1f2bf5d13050f760f52aef9b4a263

SHA512
2d9b8f574f7f669c109f7e0d9714b84798e07966341a0200baac01ed5939b611c7ff75bf1978fe06e37e813df277b092ba68051fae9ba997fd529962e2e5d7b0

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
0e10a8550dceecf34b33a98b85d5fa0b

SHA1
357ed761cbff74e7f3f75cd15074b4f7f3bcdce0

SHA256
5694744f7e6c49068383af6569df880eed386f56062933708c8716f4221cac61

SHA512
fe6815e41c7643ddb7755cc542d478814f47acea5339df0b5265d9969d02c59ece6fc61150c6c75de3f4f59b052bc2a4f58a14caa3675daeb67955b4dc416d3a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
2KB

MD5
b861076d49a1bb102d666bb5d775908e

SHA1
f7ab1d678460e6bae13333ef0a6566855a20b8e0

SHA256
9d0000198c5f83e557c7baada23c6a9945cfb390635e09035c016bb49a5ed8a1

SHA512
2572d5d18451167ec101361077fe03037eaa84bb57956f37328606c72d70a57a3caa221bd8918d8306221c66d65988597a8370e3311511732e83728bbd9a8aaa

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
111B

MD5
285252a2f6327d41eab203dc2f402c67

SHA1
acedb7ba5fbc3ce914a8bf386a6f72ca7baa33c6

SHA256
5dfc321417fc31359f23320ea68014ebfd793c5bbed55f77dab4180bbd4a2026

SHA512
11ce7cb484fee66894e63c31db0d6b7ef66ad0327d4e7e2eb85f3bcc2e836a3a522c68d681e84542e471e54f765e091efe1ee4065641b0299b15613eb32dcc0d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
3KB

MD5
6354caecffbf59ef391fb3757a122e44

SHA1
83056278b6450f02556af90f2efabd89b990cde2

SHA256
aa7263fdf98ddffc0bb3c19e871fe9febfd49038a078aa1f20fde61f5887b853

SHA512
7fd989bddf39334a7e6b517135fb8fef64cb9f3abfcbae978b2266e3b2620bcfbff734dfc860250b5d694388ce5f50895f06eca14a315a14ed30ae8b7f2fc759

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
1a159078dc016bacc2fe10a8c82db464

SHA1
048a1a1eeb06609005515a559692aff3e06082f7

SHA256
5315a19335a8d2e85861badc39e37ed1cb9f7275e4d4bb7748a5acad778d10bf

SHA512
398e9ce9d9779f45ad382c36da7f93edbc3b4d86ee4e9c359ee3370e5342dcb49c7865ea2d1c29e67fa522329506fc0496102ed214f025d8bfbecc42efa6e4ff

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
9b8f088cb0f3c0f8381ac5e1d487b1dd

SHA1
7bf3fd601e79a29cf24a60695ed4ccde7ca116ec

SHA256
16e0c69d3338152e9f2709bd0abfcfa063e9154a21ac3ffaf45a18dcf105c26b

SHA512
a8201d9b272dee2f0ce6b2d7a43e25abe5730a8019b652f45900226c7f29767e3aefb12e578d133dcc297f2799dc37fb442930d063e0cc095c64abad7384b8b7

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
7KB

MD5
b6c941b7edb309b32854ad42019cf975

SHA1
57bf19050e2217f1750c951e58339029770a5f90

SHA256
39e5687520102222355e99e906c005cef61103a27b78173623b377fa629bf4f0

SHA512
223d5d04cc8914875b1e5cb32ca815a9d89f30800fb4f3dd531941f5a26a71b5caf1deb1c15a639d1d60fa3a9daf41968b9e20c3338a89ac329b248a86521084

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
7KB

MD5
eb0cce8becde357d349aea79e461829d

SHA1
fe242cf359024e748b9e537290921b8ba19cb5d8

SHA256
4384fbb2b4ac442cd030274e830440c1e9d1929ed94d9520dd642a5b8dfc69ae

SHA512
d25374827ba63ef1f25cf3ad073ba40e7faaea1ad7623ced298073d6d7682fb720dae8f2a36d26cda8459fd1a12ecf447a84ef41b48141c0d414a69cb7ac3b4d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
60c84aa2bdb88211096368a55a3d208a

SHA1
846420971cba588eb152844d60abb2714abe44d0

SHA256
6eb3043009613d4afae02c894b167fc2cb92220c812ef3d421bce71890f9a9fc

SHA512
1222ac4e46e0d0dd2da1eff10c1e7bdd7c95656bf3818c50924b26542bbf72a952f80d279f7d337527bc413e860f507601c1405d74a05124c8f81a7f05398cd9

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity~RFe57fe55.TMP

Filesize
867B

MD5
05ff8eb1a8e1fd7e5184ad311db24d64

SHA1
af79cde482e5e5490d3d7dc613cb395c43ff4616

SHA256
d9d898825d883060211ba312912141e838913f96a88f27b3e94fc40206cf865d

SHA512
7d1e6d55eea32105635e2748db26801b67915ceaabf28fc787769bf7dff2cb0dfaee78cd6eeefab5dd35977ac6056c08abca41895d6ae88fcd84bb191ecb40ef

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
6752a1d65b201c13b62ea44016eb221f

SHA1
58ecf154d01a62233ed7fb494ace3c3d4ffce08b

SHA256
0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd

SHA512
9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
0ee4daa70e788acacc6952294588825b

SHA1
3d9121e147cdb0e9a230c2405494ada673e879cd

SHA256
c1d305ef898ea1dce5a1698bdfb644e41c618f43aa08daa0bb32ccc4641588a8

SHA512
2cf55c40ef75f34b8d9b7971ed0aa80870705bb3befeffb4619769aba966cc883d3977b6fc1a0c7d6ceadc95c3c7d7cae3db3dcaf9d8039849edb2704386b452

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
12KB

MD5
56e9a75ab5bfd34cfd658f6b1fa50705

SHA1
f946297ed01870162d5f39ea34d13fed5aba78af

SHA256
0b1e11d51d1228388a5c55b09209b0147047d6561552e871cfa978f625e99f08

SHA512
033c65b59720c6b32397f8b3b50472be96863289db5b3a84ac73352fa86ca7f5757ac6db8259a4c572eafec5551f30aa422d81a64fdfe1692a41d7839a277153

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
12KB

MD5
7706d3e67d303d9cfcb8f88ac20c818e

SHA1
81406121fbd93fc10366466cc8835fa38db2bdda

SHA256
5668c685990f0b3a027e8f115997d068f16b59c915a7b719009b459974f30d1b

SHA512
586f699aa91406aeb018d88f15590f5327af731d4e9f4454e836e6765f3967118081a5393ff08a1840554ee10710e8ff00da0c0d79fec628219252f78e8c95b2

Download Submit
C:\Users\Admin\AppData\Local\Packages\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\TempState\SearchHoverUnifiedTileModelCache.dat

Filesize
10KB

MD5
09b5cac194f4dfb0040c655388dceb53

SHA1
558d41d80281c32523a715f42891416b70722179

SHA256
52a5f4f6c80c2ede96a6219717471c54b7a82f0caf5ef1a6a5ce602456e5d2df

SHA512
0a14435c05b834c620fc7fc4cdd902739cb52da8a6ecad871524db62132a0567c35ce0fb22f72899f167fff3ff438464f0b17e85eda54eb5b1cfa9a17d878166

Download Submit
C:\Users\Admin\AppData\Local\Temp\Genshin Impact-zpHYSP\7z.dll

Filesize
1.1MB

MD5
e7ae42ea24cff97bdead0c560ef2add1

SHA1
866f380a62622ab1b6c7705ddc116635e6e3cc86

SHA256
db2897eeea65401ee1bd8feeebd0dbae8867a27ff4575f12b0b8a613444a5ef7

SHA512
a4a27b2be70e9102d95ee319ec365b0dc434d4e8cd25589ce8a75b73bbe4f06b071caa907c7a61387b2ce6a35a70873593564499b88598f77a7c25c47448fb0a

Download Submit
C:\Users\Admin\AppData\Local\Temp\Genshin Impact-zpHYSP\7z.exe

Filesize
286KB

MD5
afc08ce359e79887e45b8460e124d63e

SHA1
e8dcddb302f01d51da3bcbfa6707d025a896aa57

SHA256
a20d93e7dc3711e8b8a8f63bd148ddc70de8c952de882c5495ac121bfedb749f

SHA512
32d3b8d964711a5706f8cf9f87bc6e33670bba2cb3ab88603dec399652ac7fe297a4692f0865a0bdcbd06515d6b0a84e5a96d1b7fda48f556543536889ba387a

Download Submit
C:\Users\Admin\AppData\Local\Temp\Genshin Impact-zpHYSP\7z.exe

Filesize
256KB

MD5
cef62c196eea91086354e04f04141c43

SHA1
8bf54d56936fcad8be1fcc99cccdc15368e082e3

SHA256
26e0d6c8f8b0c77d56a60f516aab29aea8bc367a7ab7b94ad9ac6908f2a2e49b

SHA512
dc8ff31a0194d9798a15cda48a9b203c99efb7a871a946c621474ec282e9a4905e549c0f34f62e1564ce6341e88c1dbb1c04d15d091b761d7f4ce772049a5dbc

Download Submit
C:\Users\Admin\AppData\Local\Temp\Genshin Impact-zpHYSP\app.7z

Filesize
38.5MB

MD5
0942c7fe4300f082c8f21169518f8b08

SHA1
5d6c6d55deaeb25df02215792e5e125ec4acfb9e

SHA256
24448e9afd828ed8f8bbb29325397bf9bd1a54e81b324bbbdfba78507e986513

SHA512
0e40b7d099c77692dd38db8e49b8a316df20a0b63da99532145b7caf6e299d1e2602db66cb6353f7cf7b0221d5e0ae8422ea285203ed7bd9447834185e833b88

Download Submit
C:\Users\Admin\Downloads\GenshinImpact_install_ua_6c73f16b76b3.exe

Filesize
16.7MB

MD5
60bf997ed846b2b66e8d7479f6f9a1ba

SHA1
0a9fb13b98667a6901c40d9c7a7bf3c7fe076053

SHA256
8dc595f14173310ebd642b32e83d8895a5640110a6f187cf8e61173fc539e24d

SHA512
8976109034d0438faca6d9d0f2e5b00170f1876dac7f3f3520d31a738f18d1694f55646ef406500f3db86a07efee76af258b235d3d1a2985b25591151b376c06

Download Submit
C:\Users\Admin\Downloads\GenshinImpact_install_ua_6c73f16b76b3.exe

Filesize
15.2MB

MD5
503743fae4fade9c6b0a4a7b0b9d3c0a

SHA1
7428e1a5f192ae4273e94dd362e267cdd98768ee

SHA256
aea7615a5a5183d0a1e6a6bac8b28be52788caf98ccad7b9a6e9ecee56d63d5f

SHA512
dd89820888588c86e523f229964109ec7ef12006c54f2a90f9fd40ac28db92e85b447725c71c30adc97002fce2b030b9e2701f9125389fa808d0c74056cf6a00

Download Submit
C:\Users\Admin\Downloads\GenshinImpact_install_ua_6c73f16b76b3.exe

Filesize
66.0MB

MD5
fcbdf196f823db81766f5b4667f8e677

SHA1
43fce7cdf2dd762535d81bc21fedfbea0597abdd

SHA256
59a76f02848d766f69bddd11c42b0290982644949ffb26af648746e21c15b99a

SHA512
deff48982a2bf51087863516a40d8cf496333398bdba34e80df099a1b8de34ce40bc1e40995708ba9e7a8fc834e1a0b7d0e924131292d53d57ba2cb0927287f4

Download Submit
C:\Users\Admin\Downloads\GenshinImpact_install_ua_6c73f16b76b3.exe:Zone.Identifier

Filesize
26B

MD5
fbccf14d504b7b2dbcb5a5bda75bd93b

SHA1
d59fc84cdd5217c6cf74785703655f78da6b582b

SHA256
eacd09517ce90d34ba562171d15ac40d302f0e691b439f91be1b6406e25f5913

SHA512
aa1d2b1ea3c9de3ccadb319d4e3e3276a2f27dd1a5244fe72de2b6f94083dddc762480482c5c2e53f803cd9e3973ddefc68966f974e124307b5043e654443b98

Download Submit
memory/3576-1248-0x00007FFD3E4F0000-0x00007FFD3EA4A000-memory.dmp

Filesize
5.4MB

Download
memory/3576-1249-0x00007FFD3EA50000-0x00007FFD3EDF6000-memory.dmp

Filesize
3.6MB

Download
memory/3576-1247-0x00007FFD3EA50000-0x00007FFD3EDF6000-memory.dmp

Filesize
3.6MB

Download
memory/4416-4-0x000001C97A930000-0x000001C97AE58000-memory.dmp

Filesize
5.2MB

Download
memory/4416-164-0x000001C97A400000-0x000001C97A41E000-memory.dmp

Filesize
120KB

Download
memory/4416-3-0x000001C979650000-0x000001C979660000-memory.dmp

Filesize
64KB

Download
memory/4416-2-0x00007FFD4EF90000-0x00007FFD4FA52000-memory.dmp

Filesize
10.8MB

Download
memory/4416-1-0x000001C9796B0000-0x000001C979872000-memory.dmp

Filesize
1.8MB

Download
memory/4416-142-0x000001C97A480000-0x000001C97A4F6000-memory.dmp

Filesize
472KB

Download
memory/4416-162-0x000001C979680000-0x000001C979692000-memory.dmp

Filesize
72KB

Download
memory/4416-33-0x000001C979660000-0x000001C97966E000-memory.dmp

Filesize
56KB

Download
memory/4416-0-0x000001C977040000-0x000001C977058000-memory.dmp

Filesize
96KB

Download
memory/4416-487-0x000001C979650000-0x000001C979660000-memory.dmp

Filesize
64KB

Download
memory/4416-365-0x00007FFD4EF90000-0x00007FFD4FA52000-memory.dmp

Filesize
10.8MB

Download
memory/4416-442-0x000001C97AE60000-0x000001C97B12A000-memory.dmp

Filesize
2.8MB

Download
memory/5272-1261-0x00007FFD3EA50000-0x00007FFD3EDF6000-memory.dmp

Filesize
3.6MB

Download
memory/5272-1262-0x00007FFD3EA50000-0x00007FFD3EDF6000-memory.dmp

Filesize
3.6MB

Download